Sorry, I also forgot to vote and just commented on the jackson CVE. But +1, I did the usual:
tests pass, after building I started ZK and run a few commands Checked the bin package, license files looks to be in order, server runs, commands work Signature OK. Regards, Norbert On Thu, Sep 26, 2019 at 9:50 AM Enrico Olivelli <[email protected]> wrote: > Hi folks, > all the community is invited to test this release candidate > > and we need at least three binding VOTEs > > Best regards > Enrico > > Il giorno lun 23 set 2019 alle ore 11:22 Enrico Olivelli < > [email protected]> ha scritto: > > > Links to the details: > > https://github.com/FasterXML/jackson-databind/issues/2449 > > https://github.com/FasterXML/jackson-databind/issues/2449 > > > > @Andor Molnár <[email protected]> is it a -1 from your side ? > > > > The rush for 3.5.6 is more about delivering a version of ZK without the > > security issues reported for Jackson Databind, so it may make sense to > > cancel this vote (but I am not doing it actually) > > Btw we can't follow the fast pace of DataBind and CVEs > > > > This is interesting > > > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > > > > > As we are not affected but the issues above I suggest to move forward > with > > the current tag > > > > > > > > Enrico > > > > Il giorno lun 23 set 2019 alle ore 11:07 Norbert Kalmar > > <[email protected]> ha scritto: > > > >> These CVE's do no affect ZooKeeper, both is related to Hikari which is > not > >> used at all by ZooKeeper. (It's a JDBC connection pooling library) > >> > >> > https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html > >> > >> > >> On Mon, Sep 23, 2019 at 6:40 AM Andor Molnar <[email protected]> wrote: > >> > >> > Hi Enrico! > >> > > >> > Looks like owasp is reporting 2 new issues with > >> jackson-databind-2.9.9.3: > >> > > >> > > >> > > >> > https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk-owasp/493/artifact/build/test/owasp/dependency-check-report.html > >> > > >> > If I’m not mistaken. > >> > > >> > Andor > >> > > >> > > >> > > >> > > On 2019. Sep 20., at 22:18, Enrico Olivelli <[email protected]> > >> wrote: > >> > > > >> > > This is a bugfix release candidate for 3.5.6. > >> > > > >> > > It fixes 27 issues, including upgrade of third party libraries, > >> > > TTL Node APIs for C API, support for PCKS12 Keystores, and better > >> > procedure > >> > > for the upgrade of servers from 3.4 to 3.5. > >> > > > >> > > The full release notes is available at: > >> > > > >> > > > >> > > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 > >> > > > >> > > *** Please download, test and vote by September 23th 2019, 23:59 > >> UTC+0. > >> > *** > >> > > > >> > > Source files: > >> > > https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-1 > >> > > > >> > > Maven staging repo: > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapachezookeeper-1041/ > >> > > > >> > > The release candidate tag in git to be voted upon: release-3.5.6-rc1 > >> > > https://github.com/apache/zookeeper/tree/release-3.5.6-rc1 > >> > > > >> > > ZooKeeper's KEYS file containing PGP keys we use to sign the > release: > >> > > https://www.apache.org/dist/zookeeper/KEYS > >> > > > >> > > Should we release this candidate? > >> > > > >> > > Enrico Olivelli > >> > > >> > > >> > > >
